Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

Feature Request - Better Bluetooth management options

Occasional Contributor

My organisation is struggling with figuring out the best way to manage Bluetooth. We want to enable it as it provides such a productivity benefit for our customers, but our security team is not having it.

 

What is the best way to GRANULARLY manage Bluetooth in the enterprise on a Windows 10 Enterprise laptop? (By granularly, I mean, allow only trusted devices/device types)

5 Replies

Hi there, thanks for your question!

 

I've done some digging, looks like SCCM only lets you block or allow all bluetooth connections today. Intune also has additional granularity with configurability around allowing pre-pairing, and discoverability, as well as the ability to set the bluetooth device name.

 

I totally realize that these don't yet cover what you are looking for (yet) :)

 

What kind of granularity do you need around device type? Is it important to be able to specify specific, unique device BT whitelist?

Hi Dune,

Thanks for your response.

 

As you mentioned, InTune can provide some options with regards to manageing Bluetooth, but it seems like a lot to install/configure/sustain *just to manage Bluetooth* on our corporate Windows 10 Enterprise laptops.

 

Despite advbances in Bluetooth revision, my research showed that Bluetooth LE (Low Energy) devices are still considered insecure. So, I'd like to block all devices of that class. Also, if I have the option to limit to make/model of a specific keyboard, mouse, headset, stylus that our corporation would be issuing with be AMAZING. Then we wouldnt need to worry about vulnerabilities intrduced from other devices and support for the issued devices makes our lives easier.

 

Right now, without InTune, it's all ALL, or NOTHING.

This should be the policy you need:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider...

But you need to track down the Bluetooth Service UUIDs for what you want to include support for.

@Nathan Mercer Thanks for the replies Nathan!

 

If I am not mistaken, one would require Intune in order to apply that Bluetooth policy? Our issue is that a single policy requirement doesn't justify the effort to design, configure, deploy and support yet another service (Intune) as we already have an MDM in place.

 

As for the script, we have already successfully implemented this. It works nicely with 1703. :)